1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

My Site is under heavy brute force attack

Discussion in 'Security' started by Sugavanas, Nov 3, 2014.

  1. #1
    Hello,

    For past 36 hours my site has been under attack for the username admin. I have changed login page, extended the lockout till 5 hours and made a block whenever anyone tries to login with admin username.

    For the first 12 hours, there were less than 5 bans in which IP was not recorded as the site was only banning ip for 15 mins and it gave user 5 chances.

    I saw it and didn't get serious but just tightened the security and i got over 40 attacks from different IPs. Each Ip is banned immediately after trying to login with the username but still...

    Its really like spamming on me. The site was getting attack continuously 10 times like 11 hours ago and the attacks got slowed for 1 hour one attack.

    is there a possible way to block this. I don't mind of the hacker hacking into the 'Admin' username account :p but getting noticed to this attack is hard. The ips are from different countries and some have sites hosted on it which seems fake and some are adult sites.

    Here is a IP List,

    195.154.178.51
    217.147.85.95
    182.160.155.72
    193.255.83.100
    109.228.18.144
    185.28.22.76
    72.229.33.46
    95.110.145.224
    182.160.155.72
    37.139.19.122
    199.201.88.64
    125.212.220.77
    95.110.145.224
    195.154.178.51
    217.160.235.116
    141.101.105.219
    185.28.22.76
    217.147.85.95
    207.58.135.162
    216.70.90.99
    74.208.111.148
    92.60.123.168
    198.89.122.74
    166.78.169.147
    213.229.121.124
    129.121.182.100
    162.42.239.248
    93.189.94.143
    195.154.117.65
    23.253.90.79
    37.187.37.199
    133.242.22.177
    209.148.90.10
    82.165.143.210
    216.70.107.236

    ALL IPS ARE LINKED TO www.ip-adress.com JUST INCASE IF YOU WANT TO CHECK.

    I am using Wordpress with IThemes Security.
     
    Last edited: Nov 3, 2014
    Sugavanas, Nov 3, 2014 IP
  2. gkd_uk

    gkd_uk Well-Known Member

    Messages:
    979
    Likes Received:
    74
    Best Answers:
    1
    Trophy Points:
    165
    #2
    This is why so many word press sites get hacked. Not changing the default admin username.

    They will give up eventually :)
     
    gkd_uk, Nov 3, 2014 IP
    Sugavanas likes this.
  3. Sugavanas

    Sugavanas Well-Known Member

    Messages:
    686
    Likes Received:
    71
    Best Answers:
    0
    Trophy Points:
    170
    #3
    In my case admin username doesn't exists :p but i just created a account with subscriber permission. Anyone trying to login as admin with the right password will be locked out as well, including myself. My super admin user and pass are both randomly generated characters and it will take a person years to find both combination right through brute-force attacks :p

    My problem here is how to ban this ips from getting into the site. they use up my bandwidths

    And I posted the ips out as people who can sumbit it to big blacklist sites can sumbit them too :p

    125.212.220.77

    One more IP when i was busy posting :p
     
    Last edited: Nov 3, 2014
    Sugavanas, Nov 3, 2014 IP
  4. Nigel Lew

    Nigel Lew Notable Member

    Messages:
    4,642
    Likes Received:
    405
    Best Answers:
    21
    Trophy Points:
    295
    #4
    Nigel Lew, Nov 3, 2014 IP
    Sugavanas and gkd_uk like this.
  5. gkd_uk

    gkd_uk Well-Known Member

    Messages:
    979
    Likes Received:
    74
    Best Answers:
    1
    Trophy Points:
    165
    #5
    I was just going to post the same plugin URL :)
     
    gkd_uk, Nov 3, 2014 IP
  6. Nigel Lew

    Nigel Lew Notable Member

    Messages:
    4,642
    Likes Received:
    405
    Best Answers:
    21
    Trophy Points:
    295
    #6
    Heh, its really not hard to lock down wordpress but it seems easier when done out of necessity. Folks don't take action until stuff has been hacked.

    Nigel
     
    Nigel Lew, Nov 3, 2014 IP
  7. Sugavanas

    Sugavanas Well-Known Member

    Messages:
    686
    Likes Received:
    71
    Best Answers:
    0
    Trophy Points:
    170
    #7
    Yup most of them. I had my security weak before this, because I was sure that no one can find combination of both username and password for atleast some years :p

    I will try the plugins :D
     
    Sugavanas, Nov 3, 2014 IP
  8. King-Servers

    King-Servers Greenhorn

    Messages:
    269
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    23
    #8
    We can find that WordPress is mostly used on internet but there is also major possibility that it will get hacked soon. Its compulsory for everybody to keep WordPress updated and this will help them to get protected from attacks. The passwords should be strong enough with combination of several characters and special symbols.
     
    King-Servers, Nov 3, 2014 IP
  9. Ray Baron

    Ray Baron Member

    Messages:
    148
    Likes Received:
    10
    Best Answers:
    3
    Trophy Points:
    43
    #9
    There are several WordPress admin brute-force bots going around.

    If you are the only person who logins into the admin, block wp-login.php to all but your IP address in htaccess. Replace xxx.xxx.xxx with your IP.

    ErrorDocument 403 "403"
    <Files ~ "^wp-login.php">
    Order allow,deny
    Deny from all
    Allow from xxx.xxx.xxx 
    Satisfy All
    </Files>
    
    Code (markup):
    If there are reasons you cannot do that -- don't have a dedicated IP, for example -- change the WP admin login URL (search for "rename WordPress login" in WP plugins) and then block access to wp-login.php.

    Some of these bots will continue to hit the site for hours on end despite the block, so the ErrorDocument 403 "403" line reduces the resources consumed by the attack to a negligible amount.
     
    Ray Baron, Nov 7, 2014 IP
    Sugavanas likes this.
  10. Sugavanas

    Sugavanas Well-Known Member

    Messages:
    686
    Likes Received:
    71
    Best Answers:
    0
    Trophy Points:
    170
    #10
    Mine is dynamic IP. My biggest drawback in every kind of site i own :p

    Thats ok, increased lock out period for ips up to 1440 mins and the ips listed above are blocked forever. less than 2 attacks a day now.
     
    Sugavanas, Nov 8, 2014 IP
  11. toshost.com

    toshost.com Greenhorn

    Messages:
    3
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #11
    You also try to use captcha in login.
     
    toshost.com, Nov 10, 2014 IP
  12. hostavps

    hostavps Member

    Messages:
    51
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    26
    #12
    These WP and joomla brute force attempts have got crazy lately. Ive seen them on many servers. One thing that does work is using some mod security rules, there are a few different ones out there to use, and then setup CSF to ban on mod sec alerts, That will eventually get it cleared up. Amazing how even in this age, just a few ips can kill a server with php executions. You really gotta prepare for it or you will have outages
     
    hostavps, Nov 28, 2014 IP
  13. TransNOC

    TransNOC Greenhorn

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    13
    #13
    We recommend you disable all security plugins (they read and write to the database heavily) and do the following:

    1. Install "Limit Login Attempts" and set it to a low number (2-5 tries before lock out per IP).
    2. Temporarily lock out all IP's except yours for wp-login.php
    2A. Create a .htaccess file in /wp-admin/ and insert the following.

    # Block access to wp-admin.
    order deny,allow
    allow from x.x.x.x (your IP address here)
    deny from all

    2. If it's a VPS file a ticket at TransNOC.com/open and we'll help you setup Fail2Ban and/or CSF on your server.
    2. Deny requests from those with no valid referrers in htaccess:

    # Stop spam attack logins and comments
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
    RewriteCond %{HTTP_REFERER} !.*example.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) httpX://%{REMOTE_ADDR}/$ [R=301,L]
    </ifModule>

    Change example.com to your domain, and remove X from http.
     
    TransNOC, Nov 30, 2014 IP
  14. hostavps

    hostavps Member

    Messages:
    51
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    26
    #14
    The mod security rules for the wp brute work well. We had a huge problem with this until I set it up. You do a good base ruleset like the comodo waf and then you use csf and make sure you have it to block on like 10 modsec failures

    Here is the single rule for the wp brute, put it in a config file and include from httpd.conf

    The modsec rules for joomla brute force are in the comodo waf by default.
    
    <IfModule mod_security2.c>
            # This has to be global, cannot exist within a directory or location clause . . .
            SecAction phase:1,nolog,pass,initcol:ip=%{REMOTE_ADDR},initcol:user=%{REMOTE_ADDR},id:10011
            <Location /wp-login.php>
                    # Setup brute force detection.
    
                    # React if block flag has been set.
                    SecRule user:bf_block "@gt 0" "deny,status:401,log,msg:'ip address blocked for 5 minutes, more than 15 login attempts in 3 minutes.',id:10011"
    
                    # Setup Tracking.  On a successful login, a 302 redirect is performed, a 200 indicates login failed.
                    SecRule RESPONSE_STATUS "^302" "phase:5,t:none,nolog,pass,setvar:ip.bf_counter=0,id:10012"
                    SecRule RESPONSE_STATUS "^200" "phase:5,chain,t:none,nolog,pass,setvar:ip.bf_counter=+1,deprecatevar:ip.bf_counter=1/180,id:10013"
                    SecRule ip:bf_counter "@gt 15" "t:none,setvar:user.bf_block=1,expirevar:user.bf_block=300,setvar:ip.bf_counter=0"
           </location>
    </IfModule>
    
    Code (markup):
     
    hostavps, Dec 24, 2014 IP
  15. AnaWade

    AnaWade Peon

    Messages:
    10
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    1
    #15
    You must update your word press site regularly. This will help your website to protect from attacks. The password must contain special character so that anyone could not be crack easily.
     
    AnaWade, Mar 18, 2015 IP